Solved: DNS query fails behind DHCP/NAT-Router (ISR 861) - Page 2

volkeningheim · ‎11-19-2012

Dear community,

in my simple network setup, I cannot resolve DNS queries from inside my NATted network. On the router I can ping both IP-addresses and names. Ping from the local machine works for IP-Adresses but not for names. When doing nslookup, addresses are not found and a SERVFAIL message is returned.

I use a Cisco ISR 861 Router to connect our local LAN to the Internet (The WAN of the 861 is connected to another DHCP/NAT-Router, which in turn connects to the ISP-Modem). Addresses in the local LAN are DHCP-distributed, the DNS-Servers from my ISP are configured on the Router and the DNS-Information is distributed correctly to my local LAN machines (as I can verify by doing nslookup on Linux).

In the Forum I was not able to find appropriate hints. I'm new to Cisco and quite desperate about this issue, having spent many hours to get things running. Can anyone please help me to find out which part of my config could be wrong? The running-configuration is appended.

Thanks, Benjamin

cadet alain · ‎11-19-2012

Hi,

to know that you can do this:

enable

conf t

access-list 199 permit udp any any eq 53

access-list 199 permit udp any eq 53 any

logging buffered 100000 debug

do clear log

do debug interface Fastethernet4

do debug ip pack deta 199

do sh log

do u all

do undebug interface Fastethernet4

and look at the log outputs

Regards.

Alain

Don't forget to rate helpful posts.

cadet alain · ‎11-19-2012

Hi,

of course if the pings are working from your router, it means that you've got a default route from DHCP.

Now this default route has a AD of 254 so what you did with configuring a static default route with an AD of 1 is flushing out the DHCP route from the routing table.The behavior you had with the default configured with outgoing interface means that the next-hop router is not doing proxy-arp for security purposes and by the way Cisco recommends not to configure a static route pointing to a multipoint outgoing interface.

It surely isn't a NAT problem otherwise your pings to IP addresses from hosts would also have failed.

From what OS are you doing the pings and/or nslookups? Is it from Linux or Windows?

Regards.

Alain

Don't forget to rate helpful posts.

volkeningheim · ‎11-19-2012

I was using Linux. I tried with Windows now and it's the same problem. nslookup is returning the message "Query refused."

John Blakley · ‎11-19-2012

Being that you connect to another router that's also doing nat, you could create a static route pointing back to the 192.168.22.0/24 subnet. Then you wouldn't need to nat on this router at all.

HTH, John *** Please rate all useful posts ***

volkeningheim · ‎11-19-2012

Unfortunately, on the other Router I don't have access. As soon as the configuration is working, I will connect the Router directly to the ISP's modem (Cisco DPC 3212). AFAIK, that one does not offer any routing-options at all. It is only able to assign an address to one device (the Router).

So I presume, that I have to do the NAT in the Router.

cadet alain · ‎11-19-2012

Hi,

Can you provide the output of your /etc/resolv.conf file ?

Regards.

Alain

Don't forget to rate helpful posts.

volkeningheim · ‎11-19-2012

the resolv.conf contains just the three nameserver entries, which I configured in the Router:

nameserver 80.69.98.110

nameserver 217.20.112.194

nameserver 217.70.142.66